Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: How secure is PHP ?
From: "Gary E. Miller" <gem () rellim com>
Date: Thu, 4 Nov 2004 10:07:44 -0800 (PST)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yo Ron!

On Thu, 4 Nov 2004, Ron DuFresne wrote:

I'm not sure php is all that safe for public consumption as you sir.  A
quick look at security focus, searching the vuln db for PHP, nothing more
comes up with this history;

You neglected to include PHP Bug # or CERT identifiers so it is a bit
hard to work with your list. Looking at the Official PHP Bug list I am
having a hard time matching your list.  Oh, you just searched those
bozos at securityfocus.

Wow, 7 whole problems with PHP/Linux at SecurityFocus in 2004!  Wanna
compare that to IIS or Apache(123), Java (5) during the same time?
Funny thing searching SecurityFocus for IIS shows nothing for 2004?
Yeah right. :-) I never said PHP was perfect, all popular software has
had problems now and then.

None of these could affect an Apache server that did not already
execute PHP code.  Just having the PHP installed in the Apache was not
sufficient.  Several do not seem to me (or the PHP folks) to be real
bugs.  Only one affected a LAMP system that is validateing all user input
before using it and that was promptly fixed.

None of these came close to affecting any PHP I have written or maintain.

I'll take those odds any day, and of course will keep my systems fully
patched.  Since 50% of all Apache servers have PHP installed my opinion
is pretty common.

     2004-10-28:    PHP cURL Open_Basedir Restriction Bypass Vulnerability

Non-standard extension based on C library. Bug #30610 marked as BOGUS.
Since when is allowing the PROGRAMMER to access the local file system a
problem?  The PROGRAMMER is always supposed to validate user supplied
input.

     2004-10-25:    PHP Remote Arbitrary Location File Upload Vulnerability

PHP Bug #28456.  I do not agree this is a bug.  PHP was just exporting
the functionality of the standard C file i/o.  If a program fails to
validate the input it feeds to file system functions it is programmer
error.  The fact a file system function can do full pathing/globbing is
a feature not a bug.

     2004-10-25:    PHP PHP_Variables Remote Memory Disclosure Vulnerability

Only applies if the programmer formats user supplied data without
first validateing it.  C printf has the same problem noone calls that
a bug.

     2004-10-16:    PHP memory_limit Remote Code Execution Vulnerability

The one REAL problem here.

Bug # 29241, was promptly fixed and depending on the programmer using
specific code to be exploited.  Closely related to a similar bug in Apache.

     2004-09-15:    PHP Strip_Tags() Function Bypass Vulnerability

Never used it.  Trying to allow users to allow SOME html tags to be
uploaded is just asking for problems.  Man page ALWAYS warned about it's
limitations.  Only a problem if recommended safe PHP.INI config is not used
and programmer failed to validate input.

     2004-06-07:    PHP Microsoft Windows Shell Escape Functions
                    Command Execution Vulnerability

M$, blah, you deserve to be hacked.

     2004-05-27:    PHP Input/Ouput Wrapper Remote Include Function
                    Command Execution Weakness

PHP Bug #28456.  I do not agree this is a bug.  If a program fails to
validate the input it feeds to file system functions it is programmer error.
The fact a file system function can do full pathing/globbing is a feature
not a bug.

     2004-03-24:    PHP openlog() Buffer Overflow Vulnerability

No PHP Bug #.

If the programmer logs unvalidated user supplied input there can be a
problem.  If code does this it is stupid anyway.  Similar problem in C.

RGDS
GARY
- ---------------------------------------------------------------------------
Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701
        gem () rellim com  Tel:+1(541)382-8588 Fax: +1(541)382-8676

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFBim/28KZibdeR3qURAjqZAJ9I+phbXgMG2G9JhLt6hk7Jbp3jywCfbowO
owGWx/gzcsZx3V7h2sBhajY=
=E6Qq
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault